I'm using the latest 22.03.0-rc1 (multiple devices but lets say a GL-AR750s here) and everything is running smoothly except openvpn. In every instance, openvpn will connect without issue and the router can use the openvpn connection but I can't use the openvpn connection from my lan PC and I can't figure out why.
I also have an alternative wireguard VPN link that I use if openvpn gives me trouble for any reason and the wireguard VPN connects perfectly (like the openvpn does) except it allows me to use my lan PC to connect to it as intended. The only changes I make to accomplish changing from openvpn interface to wireguard interface are done in the config interface 'VPN' section of the /etc/config/network file so I don't understand why openvpn can't route my lan traffic but wireguard can.
Is there a known bug with firewall4? I can use the alternative wireguard link forever but I do use openvpn about once a month for specific websites.
"kernel": "5.10.111",
"hostname": "R0cky",
"system": "ARMv8 Processor rev 4",
"model": "Pine64 RockPro64 v2.1",
"board_name": "pine64,rockpro64-v2.1",
"rootfs_type": "ext4",
"release": {
"distribution": "OpenWrt",
"version": "22.03.0-rc1",
"revision": "r19302-df622768da",
"target": "rockchip/armv8",
"description": "OpenWrt 22.03.0-rc1 r19302-df622768da"
}
}
package dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option dnssec '1'
option boguspriv '1'
option filterwin2k '0'
option nonegcache '0'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option ednspacket_max '1232'
option confdir '/tmp/dnsmasq.d'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config boot 'linux'
option filename 'ipxe.efi'
option force '1'
list dhcp_option '209,boot.ipxe'
config match
option networkid 'set:bios'
option match '60,PXEClient:Arch:00000'
config match
option networkid 'set:efi64'
option match '60,PXEClient:Arch:00009'
config match
option networkid 'set:efi64'
option match '60,PXEClient:Arch:00007'
config userclass
option networkid 'set:ipxe'
option userclass 'iPXE'
config boot
option filename 'tag:bios,tag:!ipxe,undionly.kpxe'
config boot
option filename 'tag:bios,tag:ipxe,boot.ipxe'
config boot
option filename 'tag:efi64,tag:!ipxe,ipxe.efi'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config dhcp 'wwan'
option interface 'wwan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
package network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
list ports 'eth2'
option bridge_empty '1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option delegate '0'
option ipaddr '192.168.117.1'
config interface 'wan'
option device 'eth0'
option proto 'dhcp'
option delegate '0'
option peerdns '0'
option dns '208.67.222.222'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2'
config switch
option name 'switch1'
option reset '1'
option enable_vlan '2'
config switch_vlan
option device 'switch1'
option vlan '2'
option ports '0'
config interface 'VPN'
option proto 'dhcp'
option device 'tun0'
option delegate '0'
option dns '104.223.91.194 104.223.91.210'
option peerdns '0'
config interface 'wg0'
option proto 'wireguard'
option delegate '0'
option mtu '1380'
list addresses '10.0.236.1/32'
option private_key 'fffffffff='
option listen_port '51111'
config device
option name 'eth0'
config device
option name 'eth1'
option ipv6 '0'
config device
option name 'eth2'
option ipv6 '0'
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option flow_offloading '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option input 'DROP'
option forward 'DROP'
option network 'wan wwan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option enabled '1'
option target 'ACCEPT'
option proto 'udp'
option dest_port '51820'
option name 'OpenWG'
option family 'ipv4'
option src 'vpnzone'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'wgzone'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
option network 'wg0'
config zone
option output 'ACCEPT'
option network 'VPN'
option name 'vpnzone'
option input 'DROP'
option forward 'DROP'
option masq '1'
config forwarding
option dest 'vpnzone'
option src 'wan'
config forwarding
option dest 'wan'
option src 'vpnzone'
config forwarding
option dest 'lan'
option src 'vpnzone'
config forwarding
option dest 'lan'
option src 'wgzone'
config forwarding
option dest 'vpnzone'
option src 'lan'
config forwarding
option dest 'wgzone'
option src 'lan'
root@R0cky:~# ip route show
default dev VPN scope link
10.13.128.0/24 dev VPN scope link src 10.13.128.81
65.188.224.197 dev VPN scope link
143.198.101.109 via 172.16.2.1 dev eth0
146.70.50.74 dev VPN scope link
172.16.2.0/24 dev eth0 scope link src 172.16.2.190
192.168.7.0/24 dev br-lan scope link src 192.168.7.1
192.252.213.222 dev VPN scope link
209.95.32.125 dev VPN scope link